Doug Vitale Tech Blog

May-June 2015 News Archive


SSL 3.0 Is Now Officially Deprecated, 26 Jun 2015 – The IETF has taken an official stance in the matter: SSL 3.0 is now deprecated. It’s been a long time coming. With POODLE as its most known attack, the death of SSLv3 is a very welcome one.[More]


Trojan that hides inside images infects healthcare

CSO, 25 Jun 2015 – A Trojan that hides its malicious code inside PNG image files counts healthcare organizations in the U.S. among its primary targets. The Stegoloader Trojan uses digital steganography techniques to sneak past computer and network defenses. According to a recent report from Dell SecureWorks, the Trojan is designed to steal files, information and passwords from infected systems, but has additional modules that extend its functionality. [More]


The Dark Web as You Know It Is a Myth

Wired, 18 Jun 2015 – The ‘Dark Web’ may be close to becoming a household name. After the conviction of Ross Ulbricht, the owner of the drug marketplace Silk Road, and a stream of articles claiming that the Islamic State is using secret websites to plan out attacks, this hidden part of the Internet is being talked about more than ever. But for the most part, the story you’ve been sold about the Dark Web is a myth. [More]


Feds can press charges for clearing browser history

Verge, 6 Jun 2015 – The Sarbanes-Oxley Act has subtly provided the legal groundwork for prosecuting people for something like deleting their browser history. One such case is that of Khairullozhon Matanov, a 24-year-old former cab driver who ate dinner with Tamerlan and Dhzokhar Tsarnaev the night of the Boston Marathon bombings. Federal prosecutors have charged Matanov under Sarbanes-Oxley for destroying evidence. [More]


NSA surveillance: how librarians have been on the front line to protect privacy

The Guardian, 5 Jun 2015 – US libraries were once protected from blanket requests for records of what their patrons were reading or viewing online, but the legislation rushed through after 9/11 threatened to wreck this tradition of confidentiality in ways that presaged later discoveries of bulk telephone and Internet record collection. In 2005, four librarians from Connecticut also successfully fought a FBI request to use national security letters to seize reading records and hard-drives, forcing the government to drop the case and back off. [More]


Chinese hackers stole 4 million federal employees’ personal information

Washington Times, 4 Jun 2015 – China-based hackers stole sensitive personal information on as many as 4 million current and former federal employees from government computers, underscoring the growing threats to data stored even in what are supposed to be the most secure of systems. The Office of Personnel Management, which is the government’s human resources agency, said it is notifying 4 million people that “personally identifiable information” may have been compromised in the breach. [More]


Google’s new privacy settings page aims to gives users more control

CIO, 1 Jun 2015 – Google has launched a centralized hub that lets users manage the privacy and security controls of all its services, and introduced a site with information about these topics. On My Account, people can control settings for Search, Maps, YouTube, Gmail and other products in one place, Google said in a blog post on Monday. [More]


Heartland issues breach notification letters after computer theft

CSO Online, 1 Jun 2015 – In a letter to the California Attorney General, Heartland Payment Systems has disclosed a data breach impacting personal information. The letter states that the data exposure is the result of a break-in at one of their offices, which included stolen computers. The incident involved the theft of many items including password protected computers that might have contained Social Security Numbers and/or banking information that is processed by employers. [More]


IRS Using 13-Yr. Old Microsoft Software

Fox News, 1 Jun 2015 – IRS computers are still running the 13-year old Windows XP operating software which Microsoft stopped supporting a year ago with security updates. Even the agency’s fraud-catching software is two decades old. The outdated software may have played a role in the breach the IRS announced last week in which thieves hacked into the agency’s online service and gained access to more than 100,000 taxpayer accounts. [More]


In 38% of enterprises, security still indistinguishable from IT

451 Research, 14 May 2015 – In IT particularly, a focus on return on investment is prevalent in the assignment of resources, and despite mathematical gymnastics by some security managers, getting to a security ROI is difficult where it is the prevention of loss, not a gain in productivity or efficiency, that occurs. As if this inherent conflict of goals wasn’t hard enough to overcome, a full 38% of enterprises do not even quantify their security investments separate from IT. [More]


What causes data breaches? The terrible complexity and fragility of our IT systems

ZDnet, 13 May 2015 – We need to understand that there are different sorts of breaches and corresponding causes. Most high profile breaches are obviously driven by financial crime, where attackers typically grab payment card details. Breaches are what powers most stolen card crime. Organized crime gangs don’t pilfer card numbers one at a time from people’s computers or insecure websites. Instead of blaming end user security, we need to really turn up the heat on enterprise IT. [More]


Cybersecurity firm accused of staging data breaches to extort clients

Engadget, 9 May 2015 – Have you ever heard of a cybersecurity firm called Tiversa? Well, you’ll likely be hearing about it a lot in the coming weeks because an ex-employee is accusing it of fraud. Richard Wallace, one of its former investigators, has recently testified against the firm in a Washington DC courtroom. During the proceeding, he claimed Tiversa’s employees would hack potential clients to force them to pay for the firm’s services. [More]


9 things you can hire a hacker to do

Business Insider, 8 May 2015 – While it’s well-known that the dark web offers black market marketplaces for things like drugs and firearms, so too are there places where hackers offer up their skills for a fee. These hackers-for-hire offer a wide-ranging menu of services, many of which are likely not legal. [More]


Microsoft Intros Azure Stack for Private Data Centers

Data Center Knowledge, 6 May 2015 – Microsoft introduced a “home version” of its Azure public cloud, expected to enter preview this summer. Unlike home versions of game shows, Azure Stack is the real thing: customers can run the same technology behind Microsoft’s public cloud offering in their own private data center. Azure Stack extends Azure to any data center, a move that will boost both Microsoft’s hybrid play and Azure’s adoption in general. [More]


Awareness lessons from the Sony hack

CSO Online, 6 May 2015 – As more information is disclosed from the Sony hack, it demonstrates that awareness concerns go well beyond phishing. The now infamous Sony hack was the culmination of a variety of technical and non-technical vulnerabilities. While the attention tends to focus on the fact North Korea was the attacker, and that is important, from a practitioner’s perspective, it is more important to understand what let the attacks to be successful. [More]


Microsoft announces 24×7 update plans for Windows 10 devices

Beta News, 5 May 2015 – At the Ignite 2015 event, the company said that it will be pushing security updates every day instead of delivering them once a month. Home users will be getting updates more often than ever, Windows chief Terry Myerson noted. Businesses, however, will remain sited on their monthly cycle — popularly known as Patch Tuesday — as the company plans to first test the update with home users and ensure that those patches aren’t breaking anything. [More]


Netflix open-sources security incident management tool

CIO, 4 May 2015 – Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents. Called FIDO (Fully Integrated Defense Operation), the tool is designed to research, score and categorize threats in order to speed up handling of the most urgent ones. Netflix started developing FIDO four years ago after finding it took from a few days to more than a week to resolve issues that were entered into its help-desk ticketing system. [More]


Written by Doug Vitale

July 6, 2015 at 5:15 PM

%d bloggers like this: